Primary

Context

Mattermost Timing Attack Vulnerability in Cloud API Keys and OAuth Secrets

Vulnerability

Patched

A vulnerability exists in Mattermost versions 10.5.x through 10.5.10 and 10.11.x through 10.11.2, where sensitive string comparisons are not performed in constant time. This flaw enables attackers to exploit timing oracles, conducting byte-by-byte brute force attacks by analyzing response times on Cloud API keys and OAuth client secrets.

Impact

Exploitation of this vulnerability could lead to successful brute force attacks on Cloud API keys and OAuth client secrets, allowing attackers to gain unauthorized access or perform actions on behalf of users.

Remediation

Users can upgrade to Mattermost version 11.0.0 or 10.12.0 to address this vulnerability.

Added: Oct 16, 2025, 9:20 AM

Updated: Oct 16, 2025, 3:55 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

5.2

remediation

7.7

relevance

0.7

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

5.2

remediation

7.7

relevance

0.7

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Mattermost Timing Attack Vulnerability in Cloud API Keys and OAuth Secrets

Vulnerability

Impact

Remediation

Affected Products

Mattermost

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating